Deserialization of Untrusted Data in spatie/image-optimizer

[Sonicrrrr]

Description
ImageOptimizer is vulnerable to PHAR deserialization due to a lack of checking the input before passing it into the file_exists() function. If an attacker can upload files of any type to the server, he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when ImageOptimizer is used with frameworks with documented POP chains like Laravel / vulnerable developer code.
Proof of Concept
Setup the following code in /var/www/html: vuln.php represents our use of ImageOptimizer functions and phar-poc.php represents code with a vulnerable POP chain.


As an attacker, we generate our PHAR payload using the following exploit script:

Generate with:

and execute vuln.php with php vuln.php, you should see whoami being executed

Note that after generating the PHAR exploit code, an attacker can rename it to whatever extension or filename they want, it is possible to rename it test.phar to test.png to bypass any file extension check by the developer and specify phar://test.png in the $pathToImage.

Impact
This vulnerability is capable of remote code execution if ImageOptimizer is used with frameworks or developer code with vulnerable POP chains.

Recommended Fix:
Filter the phar:// protocol.

[freekmurze]

Thanks for reporting.

Could you PR a fix?

To prevent regressions, please also add a test.

[Sonicrrrr]

I have submitted a pull request to fix the security vulnerability. Will you assign a CVE number to this vulnerability?